packages/docs/docs/security.mdx
Remotion is a software that can generate videos programmatically. It does so by running a headless browser, capturing images, and encoding them into a video. This in itself does not pose a security risk. However, Remotion interacts with the Web, can be used in the cloud and uses the NPM ecosystem.
When starting the Remotion Studio or running a render via the command line, environment variables that are prefixed with REMOTION_ and .env are passed to the headless browser. You are responsible to ensure those environment variables do not exposed to other services as you are interfacing with the Web.
You should not try to call renderMediaOnLambda() or other APIs from @remotion/lambda from your app frontend. Those APIs can only be called with AWS credentials, meaning that you would have to expose your AWS credentials to the web. This is a security risk and should be avoided.
disableWebSecurity flagWe provide as a workaround for CORS issues the disableWebSecurity flag. This flag disables the same-origin policy in the headless browser. If you are using it, you need to be aware of the implications of it and assess whether this can pose a security risk to you.
APIs such as renderMedia() and renderMediaOnLambda() may be expensive (computationally or financially) to run. You should ensure that you are not exposing those APIs to the web without authentication or rate limiting. Otherwise, you may be vulnerable to DDoS attacks.
Since Remotion is distributed via NPM, reports of scans of our dependencies can be publicly viewed on platforms such as Socket. You can check specific Remotion packages for vulnerabilities:
Make sure to also check other Remotion packages you plan to use by searching for them on Socket or similar security scanning platforms.
Remotion does not have security certifications such as ISO27001 or SOC2. This is uncommon for JavaScript packages distributed via NPM. You may find comfort in the fact that there is no data processing done by Remotion's servers. After you obtain a license, you simply run Remotion on your own infrastructure, with no connection to our servers.
We generally respond to alerts from GitHub's vulnerability scanner and dependency security advisories. Our process includes:
Please note that we handle security situations on an ad-hoc basis and cannot provide guarantees about response times or specific security thresholds.
Often you will use Remotion alongside other Node.js dependencies.
You should only install dependencies you trust, since they can run arbitrary code in their postinstall scripts.
Dependencies, including Remotion, may have known vulnerabilities which you can list with the npm audit command.
If you believe to have found a security vulnerability, you can report it to [email protected]